Mercurial > hg
comparison mercurial/sslutil.py @ 29578:4a4b8d3b4e43
sslutil: move comment about protocol constants
protocolsettings() is the appropriate place for this comment.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sun, 17 Jul 2016 11:03:08 -0700 |
| parents | 9654ef41f7cc |
| children | 6cff2ac0ccb9 |
comparison
equal
deleted
inserted
replaced
| 29577:9654ef41f7cc | 29578:4a4b8d3b4e43 |
|---|---|
| 137 'ctxoptions': None, | 137 'ctxoptions': None, |
| 138 # OpenSSL Cipher List to use (instead of default). | 138 # OpenSSL Cipher List to use (instead of default). |
| 139 'ciphers': None, | 139 'ciphers': None, |
| 140 } | 140 } |
| 141 | 141 |
| 142 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol | |
| 143 # that both ends support, including TLS protocols. On legacy stacks, | |
| 144 # the highest it likely goes is TLS 1.0. On modern stacks, it can | |
| 145 # support TLS 1.2. | |
| 146 # | |
| 147 # The PROTOCOL_TLSv* constants select a specific TLS version | |
| 148 # only (as opposed to multiple versions). So the method for | |
| 149 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |
| 150 # disable protocols via SSLContext.options and OP_NO_* constants. | |
| 151 # However, SSLContext.options doesn't work unless we have the | |
| 152 # full/real SSLContext available to us. | |
| 153 | |
| 154 # Allow minimum TLS protocol to be specified in the config. | 142 # Allow minimum TLS protocol to be specified in the config. |
| 155 def validateprotocol(protocol, key): | 143 def validateprotocol(protocol, key): |
| 156 if protocol not in configprotocols: | 144 if protocol not in configprotocols: |
| 157 raise error.Abort( | 145 raise error.Abort( |
| 158 _('unsupported protocol from hostsecurity.%s: %s') % | 146 _('unsupported protocol from hostsecurity.%s: %s') % |
| 287 def protocolsettings(protocol): | 275 def protocolsettings(protocol): |
| 288 """Resolve the protocol and context options for a config value.""" | 276 """Resolve the protocol and context options for a config value.""" |
| 289 if protocol not in configprotocols: | 277 if protocol not in configprotocols: |
| 290 raise ValueError('protocol value not supported: %s' % protocol) | 278 raise ValueError('protocol value not supported: %s' % protocol) |
| 291 | 279 |
| 292 # Legacy ssl module only supports up to TLS 1.0. Ideally we'd use | 280 # Despite its name, PROTOCOL_SSLv23 selects the highest protocol |
| 293 # PROTOCOL_SSLv23 and options to disable SSLv2 and SSLv3. However, | 281 # that both ends support, including TLS protocols. On legacy stacks, |
| 294 # SSLContext.options doesn't work in our implementation since we use | 282 # the highest it likely goes is TLS 1.0. On modern stacks, it can |
| 295 # a fake SSLContext on these Python versions. | 283 # support TLS 1.2. |
| 284 # | |
| 285 # The PROTOCOL_TLSv* constants select a specific TLS version | |
| 286 # only (as opposed to multiple versions). So the method for | |
| 287 # supporting multiple TLS versions is to use PROTOCOL_SSLv23 and | |
| 288 # disable protocols via SSLContext.options and OP_NO_* constants. | |
| 289 # However, SSLContext.options doesn't work unless we have the | |
| 290 # full/real SSLContext available to us. | |
| 296 if not modernssl: | 291 if not modernssl: |
| 297 if protocol != 'tls1.0': | 292 if protocol != 'tls1.0': |
| 298 raise error.Abort(_('current Python does not support protocol ' | 293 raise error.Abort(_('current Python does not support protocol ' |
| 299 'setting %s') % protocol, | 294 'setting %s') % protocol, |
| 300 hint=_('upgrade Python or disable setting since ' | 295 hint=_('upgrade Python or disable setting since ' |